Why is Student Data Privacy So Complicated?

When I was in school, no one seemed terribly concerned about privacy. Beginning at age 5, my grades, behavior, vaccinations, allergies, eyesight, hearing, sick days, physical fitness, interests, attitudes, aptitudes, whether I drank the free milk (and was it skim or whole?), socialization skills, what I wanted to be when I grew up and more were noted. Most of it was kept in a dusty file cabinet in the principal’s office. No one thought about accessing the information. After all, what was so interesting about that pile of book reports or whether or not my third grade teacher thought I was working up to my potential? Certainly no one thought that the information in those records might inform a teacher about what learning style worked best for me, or that it could be used to help me carve out my path to college and beyond. And if they did, such extrapolation wasn’t possible on any scale.

Flash forward.Today schools, parents, technology providers and legislators wrestle with student data privacy almost daily. From confusion over FERPA to concerns about who might have access to the data, a matrix of worry, fear and regulation has been created that is difficult to untangle.

According to Data Quality Campaign, in 2014, 36 states proposed over 110 student data privacy bills. So far this year, another 55 bills have been added to the list, and President Obama is proposing a student data privacy bill of rights to make it a federal violation to use student data for marketing purposes.

What’s driving this climate?It’s impossible to capture all the details in one article, but perhaps it can best be summed up with one word: FEAR.

Fear of FERPA, fear of technology, fear of marketing, fear of data and mostly, fear of the unknown.

Let’s examine further.

FERPA, the Family Educational Rights and Privacy Act, has been federal law since 1974. It’s complex, but it basically requires that educational institutions receiving federal funding take steps to protect the privacy of student data. It prevents schools from disclosing certain information about students without prior permission from or notice to parents or students who have reached the age of majority. Receiving permission or providing notice depends on the data and in some cases, the circumstances. When it comes to compliance, the stakes are high: schools that don’t align with FERPA risk losing federal funding.

FERPA was written well before the culture of privacy that currently exists, and the data definitions don’t always align well with those in other privacy regulations. In addition, schools are challenged to be fully fluent in FERPA, but are often unsure of how to accurately interpret the requirements. There’s also very little in the way of enforcement history to guide them around the edges.

Enter technology, and schools are even more nervous about compliance. It’s common to hear questions such as, “who has the data” and “where might it end up?” Some fear that technology companies are taking the students’ personal information and using it for financial gain by behaviorally marketing to students. Is that possible? Yes. Would it happen without a parent or adult student providing permission in advance? Not legally!Is that a common business model for education technology companies? No.

Many K-12 education technology companies earn revenue by selling or licensing their product to schools, or through subscriptions. Some do accept advertising. Others shun that entirely. (Truth be told, there are many small ed tech developers that launch with no revenue model, just good intentions, fingers crossed and a dogged pursuit of foundation grants and investors to help get them off the ground.)

Consider that, in addition to FERPA, under the Children’s Online Privacy Protection Act (COPPA), when personal information is collected online from children under the age of 13, companies are not legally allowed to send that data to a third party for marketing purposes without a parent’s prior permission.

Repercussions for an operator that violates federal privacy requirements? With COPPA, the penalties begin with fines of up to $16K per violation (that’s per student, so it adds up quickly). Repercussions for a technology provider who operates outside the bounds of FERPA? They’re prevented from operating in a school system for a period of 5 years. Long enough to torpedo most any business plan.

Understandably, many schools and parents worry that they simply don’t know what the technology is doing. It can be overwhelming to read through all those privacy policies, terms of use and contracts and come up with the plain-English answer to the question, “What happens to the student data?”

Schools need to be able to tell parents what data management platforms, websites and apps are used in their school, and their policies around technology and student data privacy. Technology providers need to be compliant and transparent about their practices. Legislators need to enforce existing rules and listen to the needs of all stakeholders before creating new ones.

Where does this leave us? There’s nothing simple about addressing data privacy and security concerns, and there are many voices that lay stakes around the issues. As a result, there is no one-size-fits-all solution. However, as in most situations, the antidote to fear starts with KNOWLEDGE.

Up next: Taking Fear out of the Student Data Privacy Equation. A look at some of the available resources and action that each stakeholder group can take to bring greater transparency to the process.

Can’t wait for the next post? Want to talk about solutions today? Email me at Linnette@PlayWell-LLC.com. I’d be happy to discuss in more detail.

Don’t forget to sign up for our newsletter! Simply write “subscribe” in the subject line of an email and send to Linnette@PlayWell-LLC.com.

Welcome to PlayWell

When engaging with the youth market, operating responsibly can be your biggest business advantage. PlayWell's mission is to partner with clients to successfully navigate the compliance world and drive your business forward.